Agencies feel strain of balancing mobility, security

Jason Miller, executive editor, Federal News Radio

Agencies are in danger of being swallowed up by the wave of smartphones and tablets sweeping across the government if they don't start figuring out how to manage the cyber risks with the benefits of mobile devices.

While there is wide recognition from the White House to the Army to the Transportation Security Administration that they must figure out how to make mobile devices work in their environments, senior officials from across the government are struggling to make that happen.

"Bring your own device to work is a really, really good way to move forward, but that potential for even more malware on mobile devices continues to grow," said Howard Schmidt, White House cybersecurity coordinator, Wednesday during the McAfee Public Sector Summit in Arlington, Va.

Army Maj. Gen. Stephen Smith, the director of the Cyberspace Task Force for the service, said the Army believes in the concept of BYOD, but it's wrought with problems.

Dr. Emma Garrison-Alexander, TSA chief information officer, said 50,000 out of 60,000 agency employees work out of an office and mobile computing is an important tool.

Dr. Emma Garrison-Alexander, chief information officer, TSA (TSA)

"Mobility is at the forefront of what we are trying to do," she said. "We want to give our workforce the tools they need to meet our mission. The technology and capability exists, but the challenge is providing the level of security required."

Garrison-Alexander said TSA still is in the early stages of developing policy and plans for bringing smartphones and tablets on its network.

Army to release BAA for third party cyber services

The Defense Department is facing this security challenge head-on. The Army, for instance, is tired of waiting for devices to go through the standards process.

It took DoD many, many months to compile a Security Technical Implementation Guide (STIG) for its first non-Blackberry device: an Android-based tablet known as the Dell Streak. Just as DoD approved it, Dell decided to stop making the tablet.

Smith said the Army and the Defense Information Systems Agency will issue a broad agency announcement by the early summer for a third party approach to securing mobile devices. The basic concept if the BAA is a thin or zero client setup.

"If you brought your own device, you would allow us to put an agent on that device that would give you a secure tunnel into a DISA cloud or deck so that none of the information or data could be stored on the device so you eliminate the FIPS 140-2 data at rest requirement, and we can do identity management based on how you come on and what we allow you to do," Smith said. "That can be the beginning of a role based environment. I'm sure we will have to have standards on what operating system you will use. We will have to work on those details."

Smith said the BAA is concentrating on business users in the continental United States or non-combat areas because having a thin client in a combat environment doesn't work well.

DISA would provide the technology as a managed service and could expand it to other DoD services and agencies.

"We've already seen the advantages of providing just-in-time information to an employee, solider, civilian or contractor," Smith said. "What they need, when they need it and being able to give them the mobility so we can't ignore it. Our end users will not allow it and it's not the right thing to do."

Smith said the BAA will determine which third-party integrators services would work based on their standards, and then task orders would be released as needed.

Marine Corps' security guidance includes actionable steps

The Marine Corps is taking a different approach to taming the security and mobile challenge.

The service has focused on issuing wireless and mobile policies, but they are atypical.

"It takes the aspects of policy one step further, which actually shows an implementation process, a standard, a particular measure that you have to do so it's not just a debatable generic policy, but it is actually actionable things you can do and have tests done against you," said Ray Letteer, the chief of the Marine Corps cybersecurity division.

Ray Letteer, chief cybersecurity division, Marine Corps (AFCEA)

Letteer said the Marines also developed a zone approach for wireless depending on the risk to their network. He said Zone 1 addresses basic cybersecurity that commercial devices provide for areas such as education or public affairs. Zone 2 is for unclassified but sensitive data and security requirements increase. Zone 3 is for classified information and it requires the toughest security requirements.

Letteer said most of the time only government developed software works for Zone 3, but more and more commercial companies are meeting their needs in the classified arena.

Along with devices, the Marines are testing a concept that could make any computer a secure connection. Letteer said the Air Force Research Laboratory created the approach.

"They created a light-weight portable security construct that's built on a CD-ROM and you put it in a system and it boots up a virtual system and it contains middleware so it's PKI enabled," he said. "You can create this environment and from an untrusted environment home computer, you can create this safe virtual environment and do work from a distant location."

Letteer said the Marines would like to standardize implementations outside the U.S., and in some cases in country as well.

"We are working closely with DoD on this and other DoD organizations," he said. "The Enterprise Security Certification Group that I sit on, we are going to accredit this, standardize this and get some lessons learned."

Approved products list on the horizon

The Marines also are looking at a host of other mobile security possibilities, including putting non-secure devices in a protective-sleeve so the user can view classified information on it. The service also wants secure voice capabilities on an unsecure phone.

Letteer also said the Marines are looking to develop an approved product list for mobile apps.

He said an app would go through a software review process where the service would use a tool to make sure the code is trusted. Once it's trusted, the Marines would digital sign the app and put in a repository for others to use.

"In these wireless and mobility capabilities, we are trying to be involved upfront," Letteer said. "We want to put security in so our Marines can use it quickly, safely and securely."